CVE-2022-0547
https://notcve.org/view.php?id=CVE-2022-0547
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. OpenVPN versiones 2.1 hasta v2.4.12 y versión v2.5.6, puede permitir una omisión de autenticación en los complementos de autenticación externa cuando más de uno de ellos hace uso de las respuestas de autenticación diferida, lo que permite que sea concedido acceso a un usuario externo con credenciales sólo parcialmente correctas • https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF https://openvpn.net/community-downloads • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVE-2021-31604 – OpenVPN Monitor 1.1.3 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-31604
furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client. furlongm openvpn-monitor versiones hasta 1.1.3, permite una vulnerabilidad de tipo CSRF para desconectar un cliente arbitrario OpenVPN Monitor versions 1.1.3 and below suffer from a cross site request forgery vulnerability that allows an attacker to disconnect arbitrary VPN clients. • http://packetstormsecurity.com/files/164281/OpenVPN-Monitor-1.1.3-Cross-Site-Request-Forgery.html https://github.com/furlongm/openvpn-monitor/releases • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-31605 – OpenVPN Monitor 1.1.3 Command Injection
https://notcve.org/view.php?id=CVE-2021-31605
furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket. This can shut down the server via signal%20SIGTERM. furlongm openvpn-monitor versiones hasta 1.1.3, permite una inyección de comandos %0a por medio del socket de la interfaz de administración de OpenVPN. Esto puede apagar el servidor por medio de signal%20SIGTERM OpenVPN Monitor versions 1.1.3 and below suffer from an injection vulnerability that allows an attacker to inject arbitrary commands into the OpenVPN server management interface socket. • http://packetstormsecurity.com/files/164278/OpenVPN-Monitor-1.1.3-Command-Injection.html https://github.com/furlongm/openvpn-monitor/releases • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-31606 – OpenVPN Monitor 1.1.3 Authorization Bypass / Denial Of Service
https://notcve.org/view.php?id=CVE-2021-31606
furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients. furlongm openvpn-monitor versiones hasta 1.1.3 permite una Omisión de Autorización para desconectar clientes arbitrarios OpenVPN Monitor versions 1.1.3 and below suffer from an authorization bypass vulnerability that allows an attacker to disconnect arbitrary clients, even if the disconnect feature is disabled. • http://packetstormsecurity.com/files/164274/OpenVPN-Monitor-1.1.3-Authorization-Bypass-Denial-Of-Service.html https://github.com/furlongm/openvpn-monitor/commit/ddb9d31ef0ec56f578bdacf99ebe9d68455ed8ca https://github.com/furlongm/openvpn-monitor/releases • CWE-287: Improper Authentication •
CVE-2021-3824
https://notcve.org/view.php?id=CVE-2021-3824
OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL. OpenVPN Access Server versiones 2.9.0 hasta 2.9.4, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de la URL de la página de inicio de sesión • https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-9-5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page •